Proper storage of existing Keyset on Android, either with AndroidKeysetManager or SharedPrefKeysetWriter

[patricks-dev]

Help us help you

Done :-)

Is your feature request related to a problem?

Yes. I need to store an existing Keyset in an adequate way. AndroidKeysetManager doesn't provide an API to import a KeysetHandle object (it seems the only way is to have AndroidKeysetManager handle the Keyset is after it creates it using a template, which is not possible in my case).

What sort of feature would you like to see?

An extended API enabling importing an existing KeysetHandle to a shared preference using AndroidKeysetManager.

Or cancelling deprecation of SharedPrefKeysetWriter (documented as @deprecated We do not expect anyone to use this class) and updating signatures of SharedPrefKeysetWriter::write and SharedPrefKeysetReader::read to handle objects of type KeysetHandle instead of com.google.crypto.tink.proto.Keyset documenting its possible use with CleartextKeysetHandle adding something like @see CleartextKeysetHandle#write to its javadoc.

Or even better, all of the above and also providing an EncryptedSharedPrefKeysetWriter using EncryptedSharedPreferences?

Or any workaround that doesn't make me feel like I'm "juggling with chainsaws" ;-)

Have you considered any alternative solutions?

Documentation states using Android Keystore is unreliable in some devices. Documentation states using AndroidKeysetManager saves keystores in cleartext somewhere remain inaccessible to any other apps running on the same device, AFAIK this means it happens is a shared preference in app storage. While storing keys in cleartext in user-defined JSON files in app storage may offer the same security (provided by the OS), it doesn't feel so clean or safe.

Would you like to add additional context?

My base requisite is deterministic HPKE Keyset generation, for leveraging security (it is only a fail-safe, as data transfer and storage are already allegedly secure) against the risk of (dramatic) data loss.

[juergw]

Thanks for your request. I agree that AndroidKeysetManager was not really meant to be used with your use-case. But it should be possible to use the non-deprecated APIs to achieve what you are trying to do. I think your goal is to write your keyset you have in a KeysetHandle encrypted to the shared prefs, using android keystore to encrypt it. You can do this like this:

• Create a key in android keystore using the AndroidKeystoreKmsClient.
• Get the Aead instance for that key using AndroidKeystoreKmsClient.
• Encrypt your keyset using TinkProtoKeysetFormat.serializeEncryptedKeyset.
• Store the encrypted and serialized keyset in the Shared preferences (or wherever you want) by directly using the Android API. You can do the same as the SharedPrefKeysetWriter, using the android.preference.PreferenceManager.

I will see how we can improve our documentation for this.

[juergw]

We have decided to remove the deprecation on SharedPrefKeysetWriter, see https://github.com/tink-crypto/tink-java/commit/0135473af3ae1c8eee0361b1967da9d6a7ea35af. But I did add a comment that it is preferable to use TinkProtoKeysetFormat and how to migrate.